FDPPI is your Privacy Companion

FDPPI presently has Chapters in Bengaluru, Mumbai, Delhi, Pune, Hyderabad, Chennai and Nagpur and Kolkata.

Now FDPPI has activated its Chapter in Ahmedabad under the leadership of Advocate Anandaday Mishra, Founder and Managing Partner of AMLEGALS, a leading full service law firm, who will be the President of the Chapter.

Mr Anand is a seasoned Data Privacy professional working in multiple jurisdictions across the globe on data privacy.

The Chapter would function from the premises of AMLEGALS, 201, 203, Westface, Opp Baghban, Zydus Hospital Road, Thaltej, Ahmedabad 380054 and Mr Anand can be contacted at fdppi.ahd@amlegals.com or -8448548549.

FDPPI and AMLEGAL look forward to undertake many activities in Ahmedabad to further the cause of Privacy and Data Protection in India.

We invite professionals in Ahmedabad and other parts of Gujarat to get in touch with Mr Anand to build the community of FDPPI members in the region.

Naavi

Sri Ratan Tata has lived a full productive life which any body can be proud of. While we regret that his leadership would no longer be available to guide the Indian industry, it is our duty to remember and follow his vision and principles.

One of the notable observations about his career is his commitment to the good of the nation. He was an example for other industrialists and exhibited this commitment in no small measure when he took over Air India.

Naavi and FDPPI appreciate this spirit of working for the benefit of India and follow similar principles of indigenous approach to what we do whether it is DGPSI as a framework or C.DPO.DA. as a Certification.

We therefore would continue to remember him and dedicate one of our annual Privacy Awards we normally distribute during our annual flagship event “Indian Data Protection Summit 2024” (This year to be conducted on November 30 and December 1 at Bengaluru as a hybrid event), to “Commitment to National good”.

More details would be shared separately.

FDPPI which got its Certificate of Incorporation on 17th September 2018 has completed six years today and moving into the 7th Year. We take this opportunity to thank all those who interacted with us in these six years and contributed to what FDPPI is today.

FDPPI also thanks all the members who through their voluntary contributions sustained the efforts of FDPPI all these years.

During this auspicious occasion, FDPPI has undertaken a giant step towards creating a “Cross Certification” system for Data Protection Professionals in India. Under this scheme, FDPPI recognizes that many professionals have acquired qualifications as Privacy and Data Protection Professionals from other organizations such as IAPP, DSCI or ISACA. Some have also obtained similar Certificates from other Private organizations in India.

At the same time FDPPI is providing its own C.DPO.DA. Certification.

While each of the organizations consider their program as the best option for the professionals, the professionals themselves need to go for multiple certifications at a huge cost though there is a overlapping of learning elements in each of these Certifications.

FDPPI as an organization that has been promoted by the professionals themselves strongly believes that “Certifications” are important but should not be a burden to the professionals. Hence to ease the burden of multiple certifications, FDPPI introduces a “Cross Certification Scheme” where those professionals who have already obtained Certifications from other organizations can opt to acquire C.DPO.DA. just by passing through the online examination. If the knowledge acquired in these certifications are good enough, most of these professionals can successfully pass through the examination. If not, they can try to acquire additional knowledge and skills through FDPPI’s own “Master Trainers” and try to attempt the exam again.

FDPPI adopted a unique Banyan Tree model of development where FDPPI remains as a Not for Profit Section 8 company but its set of “Business Associate Members” (earlier called Supporting members) develop and execute commercial projects under the FDPPI banner and provide a royalty revenue to FDPPI.

We take this opportunity to renew our request to our Business Associate Members or Associate Service Providers to come up with new thoughts on how they will be able to develop new services for themselves and also support the future growth of FDPPI.

To start with, we invite some of our Business Associate Members to become “Master Trainers” for C.DPO.DA. A training for trainers would be conducted by Naavi to ensure a reasonable base standard for trainings conducted by such “Master Trainers”.

As a leader of Business Associate Members, Ujvala Consultants Pvt Ltd which is also a patron has come forward with a new service namely the DPDPA Insurability Index where the auditors of Ujvala conduct a quick assessment of DPDPA compliance by an organization with a specific objective of identifying the “Insurable Status” of the organization for a “DPDPA Insurance Cover” against liabilities arising out of DPDPA 2023 non compliance.

We look forward for others to come forward with their own projects which can be executed under the umbrella of FDPPI with a royalty payment.

FDPPI welcomes the circular of CERT In to the empanelled auditors recommending the FDPPI’s three day program scheduled to be held at Bengaluru on September 27, 28 and 29 for C.DPO.DA. Certification.

It may be observed that FDPPI’s approach is to develop “Certified Data Protection Officer and Data Auditor” through this program. Most of the training organizations stop at discussing the requirements of a DPO who has the responsibility to guide implementation of “Compliance By Design” in an organization.

However, FDPPI considers that DPDPA envisages a definitive role for independent “Data Auditors” who will conduct periodical (annual) audits of organizations regarding the compliance of the Act. FDPPI believes that this is a statutory recognition for auditors who would be conducting “DPDPA Compliance Audit” .

FDPPI has therefore placed an equal emphasis on “Data Audit” in its C.DPO.DA. program which makes it globally unique. While in future we may split the program into two parts with the “Lead Implementer” and “Lead Auditor” roles being considered separate, at present both these are combined in the C.DPO.DA. program which makes it unique.

Accordingly, the curriculum of the program covers

The real impact of this program on the professionals and the organizations in which they work will be enormous.

a) The legal basis for Data Protection in the form of nuances of DPDPA 2023 along with ITA 2000, CPA 2019 and also international laws such as GDPR.

b) Implementation challenges for “Compliance by Design” with Technical and Organizational controls including the technical challenges of

-Data Discovery, Data Classification, Data Storage, Data Access, Consent Management, Management of Rights of Data Principals, Minor’s Data Management, Data Breach Management, Data Retention Management, Data Confidentiality, Integrity and Availability Management, Grievance Redressal management, Management of Consent Managers, Data Pseudonymization, etc.,

c) Governance Challenges related to how the risks can be assessed and managed including Data Valuation and using Cyber Insurance.

d) Conducting an Audit of how an organization has complied with the DPDPA 2023 requirements in a technical environment with a focus on how to look for evidence gathering and validation.

FDPPI’s Certification C.DPO.DA. is a crown jewel which would be available only for those who successfully complete the examination.

All persons who attend the program are given one free attempt at the examination. Examination would be online for a duration of 2 hours. If they opt out of the examination, they will get a “Participation Certificate”.

If they appear for the exam and cross the first cut-off point, they will be eligible for “C.DPO.DA-L1 (Foundation Level)” Certificate. If they cross the second cut-off point, they will be eligible for “C.DPO.DA.-L2 (Implementation Level) Certificate”. If they are able to cross the third cut-off point they will be eligible for C.DPO.DA.-L3 (Expert Auditor Level) certification.

Appropriate reading material would be provided both online and offline. Discussions will include lectures and Case study discussions.

It is our desire that we want to make the Program an elevating experience for all the participants.

Look forward to meeting you…

Naavi

At present there is a large section of professionals in India with expertise to conduct audits for Information Security and some of them are also engaged as “Auditors of CERT In Empanelled organizations”. The “Auditors of CERT In Empanelled organizations” were expected to be a hybrid type of auditors who were capable of assessing the Information System Controls from the perspective of compliance to the ITA 2000 provisions which was the law of the land. This required a “Techno Legal Understanding” that not all IS auditors could manage successfully.

With the need to now understand DPDPA 2023, the role of Techno Legal Auditors in India has undergone a further change and there is an urgent need to upgrade the expertise of “Technically qualified Information Security Auditors to understand the need to conduct audits with the Legal perspective”.

This transformation from Technical Information Security Audit to Techno Legal DPDPA audit is the need of the day and is being addressed by FDPPI though its C.DPO.DA. (Certified Data
Protection Officer and Data Auditor) Course.

In order to expand the reach of such course, FDPPI is conducting a three-day offline program exclusively designed for Information Security experts including “Auditors of CERT In Empanelled organizations”.

The first of such program will be held in Bengaluru, on 27th ,28th & 29th September 2024.

Venue:

Viveka Auditorium Yuvapatha,

#4, 31st Cross Rd, 4th T Block East, 4th Block, Jayanagar, Bengaluru, Karnataka 560011

Contact: fdppi4privacy@gmail.com

Payment for Registration can be made here:

Kindly note that all participants would be eligible for Participation Certificate with 18 hours CPE. The participants are also eligible for attending the online examination within October 15 and obtain the full certificate C.DPO.DA.

The normal fee of Rs 10000/- for examination is waived for the participants for one appearance within 15th October 2024. One year individual membership worth Rs 10000/- is also free.

The program would be lead by Naavi and would include several case study discussions and practical issues in the implementation of DPDPA Act and upcoming rules.

The program would also discuss the details of India based frameworks such as the Cyber Security Framework of CERT In and BIS standard (draft) for Data Governance and Data Protection. It may be noted that at present there is no other similar program in India with a focus on Indian requirements of data protection, particularly to the depth to which this program goes in.

Appropriate reading material would be provided during the program for the participants including a copy of the book “Guardians of Privacy…by Naavi”

This program will further strengthen the approach of FDPPI to develop an indigenous approach to the compliance of DPDPA using DGPSI along with CSF of CERT-In for information security of applicable personal information.

Price with GST

(For the Bengaluru Program only)

The program is designed for “Auditors of CERT In Empanelled organizations” and the capacity is a maximum 25 numbers. A few Auditors who are not “Auditors of CERT In Empanelled organizations” are being accommodated on specific request.

Payment for Registration can be made here:

One of the notable mentions made by Prime Minister Mr Modi during the Independence Day Speech yesterday was a call for development of Indigenous standards.

This was heartening since FDPPI has been working on the indigenous standard DGPSI (Data Governance and Protection Standard of India) which is meant as a framework for organizations to be compliant with DPDPA 2023.

Currently many organizations and professionals work around available but incompatible frameworks such as ISO 27001 and 27701 and claim that they are able to achieve compliance of DPDPA 2023.

This view arises both from the point that the companies know these frameworks, worked with them and are familiar. The fear of the unknown and “Resistance to Change” prevents them from even considering an alternative solution. Often they find excuse in the fact that their customers ask them if they are ISO 27001 compliant or GDPR Compliant and therefore they have no choice.

Choices can be considered only if there is a conviction that frameworks like ISO 27001 or 27701 were created for different contexts and though they may be best suited for those contexts, they need not be so for he Indian context.

For Example we have repeatedly drawn comparison to Cricket and pointed out that Gavaskar is a legend but today for the T 20 matches he is not the right choice ahead of say Suryakumar Yadav. Mr Neeraj Chopra may be the best Javelin Thrower in India but you cannot ask him to compete in discuss throw or shotput.

Once companies shed their resistance to look at the new frameworks, they need to understand what the framework suggests and arrive at their own conclusions about whether a customized ISO 27701 is a solution for DPDPA 2023 compliance or DGPSI is a better solution.

We must also accept that “Frameworks” are only guidelines and just because we follow a framework it does not mean that we are perfect in compliance. We all know how many companies in India are ISO 27001 compliant and whether they have the necessary security infrastructure. Implementation is therefore extremely important and this comes only with the understanding of the law of DPDPA 2023.

FDPPI in its One day workshops on “Implementation Challenges in DPDPA 2023” of the type being conducted in Navi Mumbai on August 31 and in Mumbai on September 1 addresses these requirements.

We invite all professionals in Mumbai and Pune to take advantage of this program and attend the same.

Naavi